Page 1 of the English language of the Specification makes it clear that the intended 
numbering should be as on the Replacement drawing sheet. 



Also enclosed are replacement sheets for Figures 16 and 18. In both instances the arrow 
leading into element 166 incorrectly originated with element 165 rather than element 164. 
Again, the proper flow through the algorithm is evident from the Specification. 

In the Claims: 

Please add the following new claims: 





A microcontroller having a set of resource constraint/and comprising: 
a memory, and 

an interpreter loaded in memory and operate within the set of resource 
constraints, 

the microcontroller having: at least one^pplication loaded in the memory to be 
interpreted by the interpreter, wherein the at least one application is generated by 
a programming environment comprising: 

a) a compiler for comfuling application source programs in high level 
language source cpoe form into a compiled form, and 

b) a converter for post processing the compiled form into a minimized 
form suitable for interpretation by the interpreter. 

-H)T. The microcontroller of Claim ]&6, wherein the compiled form includes attributes, 
and the converter comprises a means for including attributes required by the 
interpreter while not including the attributes not required by the interpreter. 



The microcontroller of Claim JP6 wherein the compiled form is in a standard Java 
class file format and the converter accepts as input the compiled form in the standard 
Java class file format and produces output in a form suitable for interpretation by the 
interpreter. 



t©^. The microcontroller of Claim \Q6 wherein the compiled form includes associating 
an identifying string for objects, classes, fields, or methods, and the converter 
comprises a means for mapping such strings to unique identifiers. 

J4tT The microcontroller of Claim 109^wherein each unique identifier is an integer. 

The microcontroller of Claim W$ wherein the mapping of strings to unique 
identifiers is stored in a string to identifier map file. 

*tf2. The microcontroller of Claim \Q6 where in the high level language supports a 
first set of features and a first set of data types and the interpreter supports a subset of 
the first set of features and a subset of the first set of data types, and wherein the 
converter verifies that the compiled form only contains features in the subset of the 
first set of features and only contains data types in the subset of the first set of data 
types. 



113. The microcontroller of Claim 109 whereir^tne compiled form is in a byte code 
format and the converter comprises means f;or translating from the byte codes in the 
compiled form to byte codes in a formatysmtable for interpretation by the interpreter 
by: 



using at least one step in a process including the steps: 

a) recording all jumps and to^ir destinations in the original byte codes; 

b) converting specific byte codes into equivalent generic byte codes or vice-versa; 

c) modifying byte cod^operands from references using identifying strings to 
references using unique identifiers; and 

d) renumbering byt/codes in the compiled form to equivalent byte codes in the 
format suitable for interpretation; and 

relinking jumps for'which destination address is effected by conversion step a), b), c), or 

^ / 
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The microcontroller of Claim 196 wherein the application program is compiled 
into a compiled form for which resources required to execute or interpret the 
compiled form exceed those available on the microcontroller. 

The microcontroller of Claim 186 wherein the compiled form is designed for 
portability on different computer platforms. 

J-WT. The microcontroller of Claim U96 wherein the interpreter is further configured to 
determine, during an interpretation of an application, whether the application meets a 
security criteria selected from a set of rules containing at least one rule selected from 
the set: 

not allowing the application access to unauthorized portions of memory, 
not allowing the application access to unauthorized microcontroller 
resources, 

wherein the application is composed of byte codes and checking a 
plurality of byte codes at least once prior to execution to verify that 
execution of the byte codes does not violate a security constraint. 

if C6 

X^f. The microcontroller of Claim JJ96 wherein at least one application program is 
generated by a process including the steps of: 

prior to loading the application verifying that the application does not 
violate any security constraints; and 
loading the application in a secure manner. 

The microcontroller of Claim jJ^T wherein the step of loading in a secure manner 
comprises the step of: 
verifying that the loading identity has permission to load applications onto the 
microcontroller. 



.UHJ. The microcontroller of Claim \¥f wherein the step of loading in a secure manner 
comprises the step of: 



A 




encrypting the application to be loaded using a loading key. 

/ 

120. A method of programming a microcontroller having a memory and a processor 
operating according to a set of resource constraints, the method comprisijig*tfie steps 
of: 

inputting an application program in a first prog^itfming language; 

compiling the application program in tlje<first programming language into a first 
intermediate code associated with the fifsfprogramming language, wherein the first 
intermediate code being interpip&me by at least one first intermediate code virtual 
machine; 

converting p£ first intermediate code into a second intermediate code; wherein 
the second intermediate code is interpretable by at least one second intermediate code 
virtual macmne; and 

fading the second intermediate code into the memory of the microcontroller. 

71 71 

<t21*r The method of programming a microcontroller of Claim pCT wherein the step of 

converting further comprises: 

associating an identifying string for objects, classes, fields, or methods; and 
mapping such strings to unique identifiers. 



The method of Claim ]2f[ wherein the step of mapping comprises the step of 
mapping strings to integers. 

123. The method of Claim 120 wherein the ste^df converting comprises at least one of 
the steps of: 

a) recording all jumps and their destinations in the original byte codes; 

b) converting specific byte codes into equivalent generic byte codes or vice-versa; 

c) modifying byte code operands from references using identifying strings to 
references using unique identifiers; 

d) renumbering byte codes in a compiled format to equivalent byte codes in a format 
suitable for interpretation; and 



e) relinking jumps for whjch-destination address is effected by conversion step a), 
b), c), or d). 



The method of Claim \2$ wherein the step of loading the second intermediate 
code into the memory of the microcontroller further comprises checking the second 
intermediate code prior to loading the second intermediate code to verify that the 
second intermediate code meets a predefined integrity check and that loading is 
performed according to a security protocol. 

i€5T The method of Claim J^f wherein the security protocol requires that a particular 
identity must be validated to permit loading prior to the loading of the second 
intermediate code. 

i% it 

)2fi. The method of Claim J^f further characterized by providing a decryption key and 
wherein the security protocol requires that the second intermediate code is encrypted 
using a loading key corresponding to the decryption key. 



127. A microcontroller operable to execute derivative programs which are derivatives 
of programs written in an interpretable programing language having a memory and 
an interpreter, the microcontroller comprising 

/ 

(a) the microcontroller operating within/a set of resource constraints including the 
memory being of insufficient size to permit interpretation of programs written in 
the interpretable programming language; and 

(b) the memory containing an interpreter operable to interpret the derivative programs 
written in the derivative of the interpretable language wherein a derivative of a 
program written in the interpretable programming language is derived from the 
program written in the interpretable programming language by applying at least 
one rule selected from a set of rules including: 

(1) mapping strings to identifiers; 

(2) performing security checks prior to or during interpretation; 




(3) performing structural checjc-s prior to or during interpretation; and 

(4) performing semantic checks prior to or during interpretation. 




128. The microcontroller of Claim 127 wherein the derivative programs are class files 
or derivatives of class files. 



129. The microcontroller of Claim 127 further comprising: 
the memory containing less than 1 megabyte of storage. 

130. The microcontroller of Claim 127 wherein the security checks the microcontroller 
is further comprising: 

(c) logic to receive a request from a requester to access one of a plurality of 
derivative programs; 

(d) after receipt of the request, determine whether the one of a plurality of derivative 
programs complies with a predetermined set of rules; and 

(e) based on the determination, selectively grant access to the requester to the one of 
the plurality of applications. 

131. The microcontroller of Claim 130, wherein the predetermined rules are enforced 
by the interpreter while the derivative program is being interpreted by determining 
whether the derivative program has access rights to a particular part of memory the 
derivative program is attempting to access. 

132. The microcontroller of Claim 127 further wherein the microcontroller is 
configured to perform at least one security check selected from the set having the 



(a) enforcing predetermined security rules while the derivative program is being 
interpreted, thereby preventing the derivative program from accessing 
unauthorized portions of memory or other unauthorized microcontroller 
resources, 



members: 
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(b) the interpreter being configured to check each bytecode at least onp^prior to 
execution to determine that the bytecode can be executed in acpdrdance with pre- 
execution and post-execution checks, and 

(c) the derivative program is checked prior to being loaded irfto the microcontroller to 
verify the integrity of the derivative program and loading is performed according 
to a security protocol. 

133. The microcontroller of Claim 132 wherein th^ security protocol requires that a 
particular identity must be validated to permit fading a derivative program onto a 
card. 



134. The microcontroller of Claim 132 farther comprising a decryption key wherein 
the security protocol requires that a derivative program to be loaded is encrypted 
using a loading key corresponding to the decryption key. 



135. The microcontroller of Claim 127 wherein the microcontroller is configured to 

/ 

provide cryptographic services selected from the set including encryption, decryption, 
signing, signature verification, mutual authentication, transport keys, and session 
keys. 

136. The microcontroller of Claim 127 further comprising a file system and wherein 
the microcontroller is configured to provide secure access to the file system through a 
means selected from the set including: 

(a) the microcontroller having access control lists for authorizing reading from a file, 
writing to a file, or deletion of a file, 

(b) the microcontroller enforcing key validation to establish the authorized access to a 
file, and 

(c) the microcontroller verifying card holder identity to establish the authorized 
access to a file.— 
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